simple secure and flexible vpn solution for home and
play

Simple, Secure and Flexible VPN solution for home and business me - PowerPoint PPT Presentation

Aug 20, 2023 •180 likes •576 views

Simple, Secure and Flexible VPN solution for home and business me Romain Bourgue IT Security and open source fan Works for the french Civil Service since 2003 romain.bourgue@gmail.com Summary VPN solutions : multiple choices

  1. Simple, Secure and Flexible VPN solution for home and business

  2. me ● Romain Bourgue ● IT Security and open source fan ● Works for the french Civil Service since 2003 ● romain.bourgue@gmail.com

  3. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  4. Summary ● VPN solutions : multiple choices for multiple situations ● Quick reminder about secure VPN ● IPsec based solutions ● SSL based solutions ● Commercial fake SSL “ VPN “ ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  5. VPN solutions overview Quick reminder about secure VPNs ● Main objective : ● securely encapsulates data between 2 or more networked devices not on the same private network. ● Responsible for : ● Authenticate (both ways) ● Insure data integrity ● Encrypt/Decrypt ● Encapsulate/”decapsulate” ● Lots of solutions, very few compatibilty

  6. VPN Solutions Ipsec based solutions ● IPSec pros : ● Widely supported ● Interoperability is achievable for lan-to-lan connectivity ● IPsec cons : ● Specific protocols AH, ESP ● No automatic negotiation ● Difficult to open in firewalls ● Bad NAT support ● IPsec in itself is not enough for VPN roadwarriors : Needs specific implementations

  7. VPN Solutions Ipsec based solutions ● Specific Implementations ● Vendor specific implementation for endusers : Cisco VPN Client, Checkpoint Secure Client, Juniper IPSec Client... ● MS PPP/L2TP/IPsec : natively supported in Windows OS and devices ● Still good for : LAN-to-LAN in heterogeneous situations

  8. VPN Solutions SSL/TLS based VPN ● Uses SSL/TLS security for authentication, key negociation and session renegociation ● Data encapsulation is still specific. ● Implementations ● Clientless : ActiveX or Java applet based SSL/TLS VPN (transport through loopback listening sockets) ● Client based commercial solution : Cisco, Juniper, Connectra ● Openssh, Openvpn ● Good for : Securing endusers connection (roadwarriors, wifi, admin networks...)

  9. VPN Solution Commercial fake SSL VPN ● Commercially called SSL VPN... they are just https servers with : ● Reverse proxy to serve internal web ressources ● Web interfaces to add functionnality : VNC/RDP for remote administration, WebMail, Web access to windows shares...

  10. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● Quick facts ● In-depth presentation ● Few more things ● Performances ● Configuration basis ● Plugability & Hooks for fun and creativity ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  11. Open VPN Quick facts ● Created for personal use by James Yonan ● Dual license : – Community edition : GPL v2 – Commercial edition. Adds a distribution server and Client and Management GUI ● Version history – May 2001 : v0.9 first release – .... – Dec 2009 : v2.1.1 ● Roadmap for v3.0 : Become a generic network stack with modules for everything... ● Available in : Linux, Solaris, *BSD, Windows (XP to 7 and Mobile), MAC OS, Android, Iphone...

  12. OpenVPN in-depth Architecture ● Case study : simple VPN connection

  13. OpenVPN in-depth Architecture ● Case study : simple VPN connection

  14. OpenVPN in-depth Architecture

  15. OpenVPN in-depth Architecture OpenVPN software Runs in user space. Same software in client or server mode. Only the config file differs.

  16. OpenVPN in-depth Architecture

  17. OpenVPN in-depth Architecture Tun/Tap device : Virtual interface plugged to a character device. Applications in user space can read and write IP packet (tun) or ethernet frames (tap) to this interface

  18. OpenVPN in-depth Architecture

  19. OpenVPN in-depth Architecture

  20. OpenVPN in-depth

  21. OpenVPN in-depth Transport ● OpenVPN tunnels can be transported over TCP or UDP ● With TCP transport, TCP data are tunneled over TCP . Congestion controls are runnning twice and badly interract when congestion occurs ● Still, TCP 443 might be your only way out ● HTTP proxy is also supported

  22. OpenVPN in-depth Multiplexer & Reliability ● Packets and frames transport need unreliability but SSL/TLS stuff does... ● The reliability layer provides it (only in UDP mode). ● An optional pre-openSSL HMAC (pre shared key) can be added at this layer

  23. OpenVPN in-depth 1 – Authentication & key gen ● 2 authentication modes supported : ● Static pre-shared key (doesn't scale well...) ● SSL/TLS with certificates for authentication and keys negotiation (preferred) ● easyca provided for simple PKI certificate generation ● Provides keys for encryption & HMAC validation

  24. OpenVPN in-depth Data encryption ● Data Encryption/decryption is made by standard OpenSSL EVP interface with the negociated keys. ● HMAC validation is also made with OpenSSL EVP ● An optional pre-OpenSSL HMAC header can be added.

  25. OpenVPN in-depth Encapsulation ● Packets are read/written from the tuntap device ● The MSS is adjusted by OpenVPN request to avoid fragmentation

  26. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● Quick facts ● In-depth presentation ● Few more things ● Performances ● Configuration basis ● Plugability & Hooks for fun and creativity ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  27. Few more things ● Authentication – Can also be : ● Without client certificate ● and/or login password validated with user script (pam, ldap, OTP, db...) – Dual factor PKCS11 and MS cryptoapi supported ● Clients management : – OpenVPN server acts as a DHCP server. DHCP options supported. – IP pool management with sticky address – Routes can be pushed from server ● LB & FailOver : – Natively supported in client config file

  28. Hardening OpenVPN ● Tls-auth : A simple but efficient HMAC A shared static key is used to add an integrity header to vpn packets. If the HMAC is false : packet drooped. Prevent bruteforce, tempering, libssl exploitation. ● root privilege dropping ● After init ● With sudo for iproute ● In chrooted environment

  29. Performances ● Due to heavy kernel space/user space data transferts, OpenVPN performances are not as good as Ipsec's Source : http://stuff.skoberne.net/IPSec_and_OpenVPN_Performance.pdf

  30. Using OpenVPN : configuration basis ● Installing and running openvpn on linux ● (apt-get|yum|urpmi|...) install openvpn ● /etc/openvpn/ for config file(s) ● /etc/init.d/openvpn start [configfile] ● Configuration ● 2 modes : commands args and/or config file

  31. Plugability & Hooks for fun and creativity Client and server side user defined scripts can be easily called on multiple events : ● Tunnel up/down ● Certificate verification ● Login/password verification ● Client authenticated ( server side) ● Remote IP address change ● Route up ( client side) ● Client disconnected ● New route/MAC address added to the server Lots of environment variables are set before calling the scripts. Telnet management interface

  32. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Tale I : “Home sweet home : The Simple 4 Lines Config“ ● Tale II : “Escaping the evil proxy“ ● Tale III : “The OpenVPN server, the CAS WebSSO, and the brave firewall“ ● Want more ? Need help ?

  33. Tale I : “Home sweet home : The Simple 4 Lines Config“ ● Goal : configure a host-to-host connection for accessing your home network (192.168.1.0/24) anywhere. ● Static key generation : openvpn --genkey --secret static.key ● Server config : dev tun ifconfig 10.1.0.1 10.1.0.2 secret static.key ● Client config : remote serveraddress dev tun ifconfig 10.1.0.2 10.1.0.1 secret static.key route 192.168.1.0 255.255.255.0

  34. Tale II : “Escaping the evil proxy“ ● Objective : transport your VPN over an http proxy and route everything to it ● Change to tcp mode : proto tcp ● And just add this to the client configuration : http-proxy [proxyaddress] [proxyport]

  35. Tale III : OpenVPN with CAS sso authentication ● Objective : Using scripts capabilities of openvpn, delegate authentication on a CAS web SSO server ● Ingredients : ● A CAS Web SSO server ● A firewall ● A gatekeeper : web application relying on CAS SSO ● An OpenVPN server ● A client ● Few scripts

  36. Tale III : OpenVPN conf ● Connection to openVPN is made without authentication : --certificate-free. ● --ha-mac is used to prevent total strangers ● User's VPN IP is blocked by a firewall ● An application relying on cas authentication allow the IP address on the firewall upon successful SSO authentication. ● An action script is triggered when client disconnects to clear the IP on the firewall

  37. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

Recommend

Protecting Yourself from Burglary: Simple Steps You Can Take To Secure Your Home, and Your Loved

Protecting Yourself from Burglary: Simple Steps You Can Take To Secure Your Home, and Your Loved

Protecting Yourself from Burglary: Simple Steps You Can Take To Secure Your Home, and Your Loved Ones Presented by the Burlington Police Department For the majority of burglaries in Burlington, entry is gained by the use of unlocked doors or

870 views • 21 slides
Aadhaar Based Payment Services - A Simple , Secure and User friendly Mode of Payment Solution

Aadhaar Based Payment Services - A Simple , Secure and User friendly Mode of Payment Solution

Aadhaar Based Payment Services - A Simple , Secure and User friendly Mode of Payment Solution Two variants of Aadhaar based Payment Services Distribution of Electronic Benefit transfer ( crediting the bank accounts of the beneficiaries

387 views • 12 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
WireGuard zswu Computer Center, CS, NCTU WireGuard Introduction Simple and fast VPN solution

WireGuard zswu Computer Center, CS, NCTU WireGuard Introduction Simple and fast VPN solution

WireGuard zswu Computer Center, CS, NCTU WireGuard Introduction Simple and fast VPN solution Low overhead Deep integration with Linux kernel Over UDP Peer to Peer Secure Built-in Roaming Connections keep alive even

490 views • 18 slides
The Chemomentum Chemomentum Data Services Data Services The A flexible solution for data

The Chemomentum Chemomentum Data Services Data Services The A flexible solution for data

IST-5-033437 The Chemomentum Chemomentum Data Services Data Services The A flexible solution for data handling in UNICORE A flexible solution for data handling in UNICORE Katharina Rasch, Robert Schne, Hartmut Mix - Technische Universitt

354 views • 24 slides
BEHAVIOR @ HOME Simple Behavior Strategies Simple strategies that can make a big difference!

BEHAVIOR @ HOME Simple Behavior Strategies Simple strategies that can make a big difference!

BEHAVIOR @ HOME Simple Behavior Strategies Simple strategies that can make a big difference! Presented by Michelle Heid, MA, BCBA Hosted by Family Focus Resource Center Simple Behavior Strategies Proactive strategies Reminders Choices

794 views • 25 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and Todd Austin Presented by Dan Amelang Background Rise of the Internet created demand for fast and efficient cryptographic processing

309 views • 14 slides
Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October 15, 2014 Marek Va sut < marex@denx.de > Secure and flexible boot with U-Boot bootloader Marek Vasut Software engineer at DENX S.E. since

382 views • 35 slides
Using ElasticSearch as a fast, flexible, and scalable solution to search occurrence records and

Using ElasticSearch as a fast, flexible, and scalable solution to search occurrence records and

Using ElasticSearch as a fast, flexible, and scalable solution to search occurrence records and checklists Christian Gendreau, Canadensys Marie-Elise Lecoq, GBIF France Introduction ElasticSearch is an open source, document oriented, distributed

612 views • 20 slides
PLATFORM that adapts to your needs Technical documentation Designed in France, Whaller is a

PLATFORM that adapts to your needs Technical documentation Designed in France, Whaller is a

The secure collaborative PLATFORM that adapts to your needs Technical documentation Designed in France, Whaller is a simple, yet rich, collaborative solution that allows organizations to create their own secure, tailor-made social networks.

845 views • 38 slides
RADIATOR THE MOST FLEXIBLE AAA SOLUTION IN THE WORLD Radiator AAA software -- since 1997

RADIATOR THE MOST FLEXIBLE AAA SOLUTION IN THE WORLD Radiator AAA software -- since 1997

RADIATOR THE MOST FLEXIBLE AAA SOLUTION IN THE WORLD Radiator AAA software -- since 1997 Customers in OVER 180 countries DOZENS of TOP 100 enterprises and universities OVER 50% of LARGEST 25 mobile operators OEM component in HUNDREDS of MOBILE

391 views • 28 slides
Knowledge networks of biological and medical data An exhaustive and flexible solution to model

Knowledge networks of biological and medical data An exhaustive and flexible solution to model

Knowledge networks of biological and medical data An exhaustive and flexible solution to model life sciences domains Dr. Sascha Losko, Dr. Karsten Wenger, Dr. Wenzel Kalus, Dr. Andrea Ramge, Dr. Jens Wiehler, Dr. Klaus Heumann Biomax

376 views • 19 slides
SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs Canadian Internet Registration Authority Jacques.Latour [@] cira.ca Today's home network and IoT products and solutions lack secure testing and

696 views • 24 slides
Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig (CMU) Jesse Walker

484 views • 17 slides
The future of Messaging is integrated Secure and GDPR-ready video-, voice and chat solution

The future of Messaging is integrated Secure and GDPR-ready video-, voice and chat solution

Grape Chat Presentation 2019 The future of Messaging is integrated Secure and GDPR-ready video-, voice and chat solution that lives inside your favourite tools. The secure Autobahn of communication Integrate Grape with market leading

568 views • 25 slides
S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure, pseudonymous, 2-party, web domain based, authenticated identity solution, including complete identity

840 views • 38 slides
UFLEX LIMITED Indias largest multinational flexible packaging materials and solution company

UFLEX LIMITED Indias largest multinational flexible packaging materials and solution company

UFLEX LIMITED Indias largest multinational flexible packaging materials and solution company Manufacturing Globally to serve Locally August 2020 Disclaimer No representation or warranty, express or implied, is made as to, and no reliance

4k views • 56 slides
Genuine onion: Simple, Fast, Flexible, and Cheap Website Authentication Paul Syverson

Genuine onion: Simple, Fast, Flexible, and Cheap Website Authentication Paul Syverson

Genuine onion: Simple, Fast, Flexible, and Cheap Website Authentication Paul Syverson a U.S. Naval Research Laboratory f joint work with Griffin Boyce Open Internet Tools Project IEEE Web 2.0 Security and

540 views • 35 slides
A Simple and Efficient Solution of the Identifiability Problem for Hidden Markov Models and

A Simple and Efficient Solution of the Identifiability Problem for Hidden Markov Models and

Guideline Introduction String Functions Solution of the Identifiability Problem A Simple and Efficient Solution of the Identifiability Problem for Hidden Markov Models and Quantum Random Walks Alexander Schnhuth Pacific Institute for the

648 views • 37 slides
MONSTER HIRING MANAGEMENT AN APPLICANT TRACKING SOLUTION THAT IS COMPLIANT, FLEXIBLE, AND

MONSTER HIRING MANAGEMENT AN APPLICANT TRACKING SOLUTION THAT IS COMPLIANT, FLEXIBLE, AND

MONSTER HIRING MANAGEMENT AN APPLICANT TRACKING SOLUTION THAT IS COMPLIANT, FLEXIBLE, AND PROVEN. MONTH 2014 Monster Hiring Management A federal-level applicant tracking solution Compliance without Complexity Reduce the complexity of your

470 views • 12 slides
Matrix Hospitality Solution Customer Service made Simple Matrix Hospitality Solution Agenda

Matrix Hospitality Solution Customer Service made Simple Matrix Hospitality Solution Agenda

Matrix Hospitality Solution Customer Service made Simple Matrix Hospitality Solution Agenda What are the Needs of Hotel? Why you need Matrix to explore this Opportunity? Matrix A leading Hospitality Solution Provider A

535 views • 32 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides

More recommend